From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-13.8 required=3.0 tests=BAYES_00, HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 95D14C433DB for ; Thu, 25 Feb 2021 14:14:37 +0000 (UTC) Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by mail.kernel.org (Postfix) with ESMTP id 9207C64F11 for ; Thu, 25 Feb 2021 14:14:36 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 9207C64F11 Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=intel.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=dev-bounces@dpdk.org Received: from [217.70.189.124] (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id 2A1E316089F; Thu, 25 Feb 2021 15:14:35 +0100 (CET) Received: from mga04.intel.com (mga04.intel.com [192.55.52.120]) by mails.dpdk.org (Postfix) with ESMTP id 90F3B40692 for ; Thu, 25 Feb 2021 15:14:33 +0100 (CET) IronPort-SDR: a+0vWNzudVW8jLSBFKhRsS/pVr2sI5BTfYpLZ1dck+J2zkUE3/wQpsQHc6zkZt8R7ZRGf8XC8c dlrAgqx7nYgg== X-IronPort-AV: E=McAfee;i="6000,8403,9905"; a="183071501" X-IronPort-AV: E=Sophos;i="5.81,205,1610438400"; d="scan'208";a="183071501" Received: from orsmga008.jf.intel.com ([10.7.209.65]) by fmsmga104.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 25 Feb 2021 06:14:32 -0800 IronPort-SDR: KAf0kkCjWCGNeCK8/BpITLQnMnrdjYh1VDLS2c0BVpMnDeb6S/0R4yiyPM+no75ePfIIieQ2pK tRkMFFLI8szA== X-IronPort-AV: E=Sophos;i="5.81,205,1610438400"; d="scan'208";a="404291262" Received: from fyigit-mobl1.ger.corp.intel.com (HELO [10.252.17.100]) ([10.252.17.100]) by orsmga008-auth.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 25 Feb 2021 06:14:30 -0800 From: Ferruh Yigit To: Marvin Liu , stephen@networkplumber.org, thomas@monjalon.net, maxime.coquelin@redhat.com, qian.q.xu@intel.com Cc: dev@dpdk.org References: <20210125015736.7555-1-yong.liu@intel.com> <67154af1-a00e-2572-5ae9-75d965ab3169@intel.com> X-User: ferruhy Message-ID: Date: Thu, 25 Feb 2021 14:14:29 +0000 MIME-Version: 1.0 In-Reply-To: <67154af1-a00e-2572-5ae9-75d965ab3169@intel.com> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 8bit Subject: Re: [dpdk-dev] [PATCH] doc: clarify disclosure time slot when no response X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Sender: "dev" On 2/2/2021 11:28 AM, Ferruh Yigit wrote: > On 1/25/2021 1:57 AM, Marvin Liu wrote: >> Sometimes security team won't send confirmation mail back to reporter >> in three business days. This mean reported vulnerability is either low >> severity or not a real vulnerability. Reporter should assume that the >> issue need shortest embargo. After that reporter can submit it through >> normal bugzilla process or send out fix patch to public. >> >> Signed-off-by: Marvin Liu >> Signed-off-by: Qian Xu >> >> diff --git a/doc/guides/contributing/vulnerability.rst >> b/doc/guides/contributing/vulnerability.rst >> index b6300252ad..cda814fa69 100644 >> --- a/doc/guides/contributing/vulnerability.rst >> +++ b/doc/guides/contributing/vulnerability.rst >> @@ -99,6 +99,11 @@ Following information must be included in the mail: >>   * Reporter credit >>   * Bug ID (empty and restricted for future reference) >> +If no confirmation mail send back to reporter in this period, thus mean security >> +team take this vulnerability as low severity. Furthermore shortest embargo >> **two weeks** >> +is required for it. Reporter can sumbit the bug through normal process or send >> +out patch to public. >> + > > Agree to not block the fixes, it is defeating the purpose to have a > vulnerability process. The patch is out for a while and there is no objection so far, I suggest just keep continue with the fixes stuck in the process.